Docs for rc5 (#1731)

* docs for rc5

* docs improve

* proofread docs

* again

* more

Author: Jeadie

website/docs/components/data-connectors/mongodb.md

@@ -265,6 +265,32 @@ datasets:
       mongodb_pool_max: 10
 ```
 
+### Using MongoDB Change Streams
+
+Spice supports real-time Change Data Capture (CDC) from MongoDB using native [MongoDB Change Streams](https://www.mongodb.com/docs/manual/changeStreams/). This enables streaming inserts, updates, and deletes from your MongoDB collections directly into Spice accelerators.
+
+To enable real-time CDC, set `refresh_mode: changes` in the dataset's configuration:
+
+```yaml
+datasets:
+  - from: mongodb:my_collection
+    name: my_collection
+    params:
+      host: my-cluster.mongodb.net
+      db: mydb
+    acceleration:
+      enabled: true
+      engine: duckdb
+      refresh_mode: changes
+```
+
+#### Notes
+- Requires MongoDB 4.0+ and a replica set or sharded cluster.
+- Ensure your MongoDB user has `changeStream` privileges.
+
+---
+
+
 ## Secrets
 
 Spice integrates with multiple secret stores to help manage sensitive data securely. For detailed information on supported secret stores, refer to the [secret stores documentation](../secret-stores). Additionally, learn how to use referenced secrets in component parameters by visiting the [using referenced secrets guide](../secret-stores#using-secrets).

website/docs/components/data-connectors/snowflake.md

@@ -3,6 +3,9 @@ title: 'Snowflake Data Connector'
 sidebar_label: 'Snowflake Data Connector'
 description: 'Snowflake Data Connector Documentation'
 pagination_prev: null
+tags:
+  - data-connectors
+  - write
 ---
 
 import Tabs from '@theme/Tabs';

website/docs/reference/spicepod/runtime.md

@@ -215,6 +215,15 @@ The TLS section specifies the configuration for enabling Transport Layer Securit
 
 In addition to configuring TLS via the manifest, TLS can also be configured via `spiced` command line arguments using the `--tls-enabled true` flag along with `--tls-certificate`/`--tls-certificate-file` and `--tls-key`/`--tls-key-file`.
 
+### Certificate Hot-Reload
+
+Spice can hot-reload TLS certificates and client CA files for runtime endpoints. Update the certificate, key, or CA file on disk, then send `SIGHUP` to the Spice process to reload without restart. Only file-based certificates/keys/CA are hot-reloaded (not inline PEM). Existing connections are not interrupted; only new connections use the updated files. If reload fails, the previous certificate remains active and a warning is logged.
+
+**Steps:**
+1. Replace the certificate/key/CA file on disk.
+2. Send `SIGHUP` to the Spice process (e.g., `kill -SIGHUP <pid>`).
+3. Check logs for reload confirmation or errors.
+
 ### `runtime.tls.enabled`
 
 Enables or disables TLS for the runtime endpoints.
@@ -233,7 +242,6 @@ The TLS certificate to use for securing the runtime endpoints. The certificate c
 ```yaml
 runtime:
   tls:
-    ...
     certificate: |
       -----BEGIN CERTIFICATE-----
       ...
@@ -254,7 +262,6 @@ The path to the TLS PEM-encoded certificate file. Only one of `certificate` or `
 ```yaml
 runtime:
   tls:
-    ...
     certificate_file: /path/to/cert.pem
 ```
 
@@ -265,10 +272,9 @@ The TLS key to use for securing the runtime endpoints. The key can also come fro
 ```yaml
 runtime:
   tls:
-    ...
     key: |
       -----BEGIN PRIVATE KEY-----
-      ...
+      (private key contents)
       -----END PRIVATE KEY-----
 ```
 
@@ -286,7 +292,6 @@ The path to the TLS PEM-encoded key file. Only one of `key` or `key_file` must b
 ```yaml
 runtime:
   tls:
-    ...
     key_file: /path/to/key.pem
 ```
 
@@ -323,7 +328,6 @@ Path to a PEM-encoded CA bundle used to verify client certificates. The file is
 ```yaml
 runtime:
   tls:
-    ...
     client_auth_ca_file: /path/to/client-ca.pem
 ```
 
@@ -334,7 +338,6 @@ Inline PEM (or `${ secrets:... }`) form of the client CA bundle. Mutually exclus
 ```yaml
 runtime:
   tls:
-    ...
     client_auth_ca: |
       -----BEGIN CERTIFICATE-----
       ...